Darknet – The Darkside

Ethical Hacking, Penetration Testing & Computer Security

Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more.
Follow us on Twitter, Facebook or RSS for the latest updates.

I’ve always been a great fan of Debian, all the way back into the early days of woody and backporting apt packages.

What a name too, gluck to me usually means g’luck or good luck ;)

Early this morning we discovered that someone had managed to compromise gluck.debian.org. We’ve taken the machine offline and are preparing to reinstall it. This means the following debian.org services are currently offline:

cvs, ddtp, lintian, people, popcon, planet, ports, release

Based on the results of our initial investigation we’ve locked down most other debian.org machines, limiting access to DSA only, until they can be fixed for what we suspect is the exploit used to compromise gluck.

We’re still investigating exactly what happened and the extent of the damage. We’ll post more info as soon as we reasonably can.

I wonder if it’s a 0-day for one of the services? I doubt it’s bad configuration?

If it’s 2.6 kernel though…I’ve noticed it’s pretty badly coded, but most of those exploits are local…they had to get in remotely somehow.

As a dev machine though it is possible a local user used a kernel exploit.

Using standard script kiddy tools a consultant managed to compromise some of the FBI’s computers containing confidential information.

Quite a hack eh?

A government consultant, using computer programs easily found on the Internet, managed to crack the FBI’s classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III.

The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection Program and details on counterespionage activity, according to documents filed in U.S. District Court in Washington. As a direct result, the bureau said it was forced to temporarily shut down its network and commit thousands of man-hours and millions of dollars to ensure no sensitive information was lost or misused.

The consultant Joseph Thomas Colon was approved (although he does have a somewhat unfortunate surname).

The incident is only the latest in a long string of foul-ups, delays and embarrassments that have plagued the FBI as it tries to update its computer systems to better share tips and information. Its computer technology is frequently identified as one of the key obstacles to the bureau’s attempt to sharpen its focus on intelligence and terrorism.

As usual with the government, no specifics are available..It seems like he got a hold of the SAM file or the shadow file from one of the systems then brute forced the hashes with john the ripper or something similar.

According to Colon’s plea, he entered the system using the identity of an FBI special agent and used two computer hacking programs found on the Internet to get into one of the nation’s most secret databases.

Colon used a program downloaded from the Internet to extract “hashes” — user names, encrypted passwords and other information — from the FBI’s database. Then he used another program to “crack” the passwords by using dictionary-word comparisons, lists of common passwords and character substitutions to figure out the plain-text passwords. Both programs are widely available for free on the Internet.

The new names they are coming up with for this stuff is straight out of the matrix.

The FBI’s Trilogy program cost more than $535 million but failed to produce a usable case-management system for agents because of cost overruns and technical problems, according to the Government Accountability Office.

While Trilogy led to successful hardware upgrades and thousands of new PCs for bureau workers and agents, the final phase — a software system called the Virtual Case File — was abandoned last year. The FBI announced in March that it would spend an additional $425 million in an attempt to finish the job. The new system would be called “Sentinel.”

Ticketcharge.com.my, a Malaysian website that sells event tickets online appears to have been hacked. Forgot to take a screenshot of it but this screenshot from google cache taken today can be seen below. This happened over the weekend or perhaps earlier.

Google cache here . This will be gone when google re-cache the site again.

A honeypot is a device placed on a computer network specifically designed to capture malicious network traffic. The logging capability of a honeypot is far greater than any other network security tool and captures raw packet level data even including the keystrokes and mistakes made by hackers. The captured information is highly valuable as it contains only malicious traffic with little to no false positives.

Honeypots are becoming one of the leading security tools used to monitor the latest tricks and exploits of hackers by recording their every move so that the security community can more quickly respond to new exploits.

How it Works

HoneyBOT works by opening over 1000 udp and tcp listening sockets on your computer and these sockets are designed to mimic vulnerable services. When an attacker connects to these services they are fooled into thinking they are attacking a real server. The honeypot safely captures all communications with the attacker and logs these results for future analysis. Should an attacker attempt an exploit or upload a rootkit or trojan to the server the honeypot environment will safely store these files on your computer for analysis and submission to antivirus vendors. Our test server has captured several thousand trojans and rootkits from these simulated services including:

Dabber

Devil

Kuang

MyDoom

Netbus

Sasser

LSASS

DCOM (msblast, etc)

Lithium

Sub7

HoneyBOT Installation

We suggest that you install HoneyBOT on a dedicated computer with no valuable information or resources required of it. In fact, you want your honeypot to be as free as possible from any legitimate traffic so in broad terms we can consider any traffic to the honeypot to be malicious in nature.

HoneyBOT requires minimum operating system of Windows 2000 and at least 128MB RAM is recommended.

Now this is a scary though, with the digitisation of the old analogue power stations and the accidental cross-over of networks (as we’ve seen before) people could soon be hacking nuclear power station control systems..

he nuclear power industry is going digital — replacing mechanical systems with more efficient, networked computer-controls.

If that makes you nervous in a season-four-of-24 kinda way, you’re not alone. Last week, the US Nuclear Regulatory Commission voted unanimously to add cyber security requirements to federal regulations governing nuclear power plant security.

Scary eh? Something straight out of a sci-fi movie.

The main concern is that the next generation of digital “instrumentation and control”, or I&C, systems could all-too-easily wind up linked to company business networks, and, through them, the internet — all but guaranteeing they’d be hacked.

The risk was illustrated in 2003, when the Slammer worm penetrated a network at the idled Davis-Besse nuclear plant in Ohio, disabling a safety monitoring computer for nearly five hours. The worm snuck in through the energy company’s corporate network, over an unmonitored connection from a contractor’s private LAN.

I think the whole world should be pretty nervous, don’t you?

At an NRC security briefing last March, commissioner (and Los Alamos veteran) Peter Lyons commented he was “very, very nervous” about such interconnections. The exchange that follows shows how nervous nuclear-types are about sounding nervous. From the transcript [PDF]

Spyware companies are apparently netting HUGE profits, it doesn’t surprise me though with the amount of people that actually install the crap on their machines..

Let’s say we don’t like companies like Direct Revenue very much though.

Consumers have strong opinions about Direct Revenue’s software. “If I ever meet anyone from your company, I will kill you,” a person who identified himself as James Chang said in an e-mail to Direct Revenue last summer. “I will f—— kill you and your families.” Such sentiments aren’t unusual. “You people are EVIL personified,” Kevin Horton wrote around the same time. “I would like the four hours of my life back I have wasted trying to get your stupid uninvited software off my now crippled system.”

Direct Revenue makes spyware…and they make money too.

Although it is small by some corporate standards, having generated sales of about $100 million since its start in 2002, its programs have burrowed into nearly 100 million computers and produced billions of pop-up ads.

That’s a hell of a lot.

The industry in general is making a hell of a lot, can you believe it, 11% of total Internet money made is from spyware/adware.

Spyware rakes in an estimated $2 billion a year in revenue, or about 11percent of all Internet ad business, says the research firm IT-Harvest. Direct Revenue’s direct customers have included such giants as Delta Air Lines and Cingular Wireless. It has sold millions of dollars of advertising passed along by Yahoo. And Direct Revenue has received venture capital from the likes of Insight Venture Partners, a respected New York investment firm.

WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins.

In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser.

WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.

As WebScarab is a framework more than an actual tool it’s very extensible. Each feature above is implemented as a plugin, and can be removed or replaced. New features can be easily implemented as well.

There is a long list of current features.

The new version has a couple of bug fixes, a logo finally!

And a new memory utilisation widget that runs across the bottom (it does have some memory leaks).

This is an excellent case of Social Engineering, you could also consider it playing on human greed/ignorance/stupidity.

Whatever you want to label it really ;)

USB drives are a real security risk..

We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they’d had problems with employees sharing passwords and giving up information easily. Leveraging our effort in the report was a way to drive the message home to the employees.

The client also indicated that USB drives were a concern, since they were an easy way for employees to steal information, as well as bring in potential vulnerabilities such as viruses and Trojans. Several other clients have raised the same concern, yet few have done much to protect themselves from a rogue USB drive plugging into their network.

They had to think up something a little different though as they had to bait employees that were already on high alert as they knew they were being audited.

I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.

Once I seeded the USB drives, I decided to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.

The stats are amazing, out of 20 drives, 15 were found…out of the 15 found ALL FIFTEEN were plugged into company computers.

A neat way to get in eh, next time you are asked to push the social engineering buttons during a penetration test or vulnerability assessment perhaps you can do this.

An interesting speculative post on the forensics techniques that would most likely be used by the FBI during the investigation of the recovered Veteran’s Administration laptop.

Most of them are pretty straight forwards if you have any kind of experience with digital forensics and data recovery (disaster recovery, incident response etc.)

As a former Computer Forensic Specialist, I wanted to explain what’s probably going on with this laptop now that the FBI has the system and is forensically examining it. This explanation assumes the data was present on the hard drive (not a CD-Rom or other storage medium).

The two main areas cover physical examination and digital examination, physical would be looking for fingerprints and looking for evidence of tampering (screw heads, case scratches etc.).

A little discussion on MAC times and so on, if anyone is interested in this area, I might elaborate later.

As I said in the previous article, there isn’t much they can do if someone knew what they were doing.

The laptop thieves really know what they are doing. They remove the hard drive from the laptop, and mount it read-only (no modifications to the file system) on another computer, access the sensitive data and re-insert the hard drive into the stolen laptop. This is the same process the forensic examiner would use to prevent the examination from modifying the data contained on the laptop — and this is why I mentioned what the FBI might look for during the physical examination — marks on the screws or finger prints on the internal hard drive casing.